diff --git a/core/includes/form.inc b/core/includes/form.inc index 16353d8..7f82199 100644 --- a/core/includes/form.inc +++ b/core/includes/form.inc @@ -574,10 +574,11 @@ function template_preprocess_form_element_label(&$variables) { * Note: if the batch 'title', 'init_message', 'progress_message', or * 'error_message' could contain any user input, it is the responsibility of * the code calling batch_set() to sanitize them first with a function like - * \Drupal\Component\Utility\SafeMarkup::checkPlain() or - * \Drupal\Component\Utility\Xss::filter(). Furthermore, if the batch operation - * returns any user input in the 'results' or 'message' keys of $context, it - * must also sanitize them first. + * \Drupal\Component\Utility\Html::escape() or + * \Drupal\Component\Utility\Xss::filter(). The 'results' key is not displayed + * to the user and therefore it is responsibility of the batch callbacks to + * handle sanitization if required. If the 'results' key is being themed using + * item_list the callback can rely on Twig auto-escape. * * Sample callback_batch_operation(): * @code @@ -601,8 +602,11 @@ function template_preprocess_form_element_label(&$variables) { * * $nodes = entity_load_multiple_by_properties('node', array('uid' => $uid, 'type' => $type)); * $node = reset($nodes); - * $context['results'][] = $node->id() . ' : ' . SafeMarkup::checkPlain($node->label()); - * $context['message'] = SafeMarkup::checkPlain($node->label()); + * // This can be used by the batch finished callback. If this is displayed to + * // the user via the item list theme then it will be auto-escaped. + * $context['results'][] = $node->id() . ' : ' . $node->label(); + * // This is used in JavaScript and should be escaped. + * $context['message'] = SafeMarkup::isSafe($node->label()) ? $row->title : Html::escape($node->label()); * } * * // A more advanced example is a multi-step operation that loads all rows, @@ -621,10 +625,13 @@ function template_preprocess_form_element_label(&$variables) { * ->range(0, $limit) * ->execute(); * foreach ($result as $row) { - * $context['results'][] = $row->id . ' : ' . SafeMarkup::checkPlain($row->title); + * // This can be used by the batch finished callback. If this is displayed + * // to the user via the item list theme then it will be auto-escaped. + * $context['results'][] = $row->id . ' : ' . $row->title; * $context['sandbox']['progress']++; * $context['sandbox']['current_id'] = $row->id; - * $context['message'] = SafeMarkup::checkPlain($row->title); + * // This is used in JavaScript and should be escaped. + * $context['message'] = SafeMarkup::isSafe($row->title) ? $row->title : Html::escape($row->title); * } * if ($context['sandbox']['progress'] != $context['sandbox']['max']) { * $context['finished'] = $context['sandbox']['progress'] / $context['sandbox']['max']; diff --git a/core/lib/Drupal/Component/Utility/SafeMarkup.php b/core/lib/Drupal/Component/Utility/SafeMarkup.php index c1c86f5..1e164ce 100644 --- a/core/lib/Drupal/Component/Utility/SafeMarkup.php +++ b/core/lib/Drupal/Component/Utility/SafeMarkup.php @@ -15,9 +15,13 @@ * provides a store for known safe strings and methods to manage them * throughout the page request. * - * Strings sanitized by self::checkPlain() and self::escape() are automatically - * marked safe, as are markup strings created from @link theme_render render - * arrays @endlink via drupal_render(). + * Strings that are considered safe include: + * - Strings sanitized by self::format() unless a !placeholder argument is not + * already marked safe. + * - The output of TranslationManager::translate() and + * TranslationManager::formatPlural(). + * - Markup strings created from @link theme_render render arrays @endlink via + * Renderer::render(). * * This class should be limited to internal use only. Module developers should * instead use the appropriate @@ -27,6 +31,9 @@ * * @see TwigExtension::escapeFilter() * @see twig_render_template() + * @see \Drupal\Core\Render\Renderer::render() + * @see \Drupal\Core\StringTranslation\TranslationManager::translate() + * @see \Drupal\Core\StringTranslation\TranslationManager::formatPlural() * @see sanitization * @see theme_render */ @@ -130,36 +137,6 @@ public static function getAll() { } /** - * Encodes special characters in a plain-text string for display as HTML. - * - * Also validates strings as UTF-8. All processed strings are also - * automatically flagged as safe markup strings for rendering. - * - * @param string $text - * The text to be checked or processed. - * - * @return string - * An HTML safe version of $text, or an empty string if $text is not valid - * UTF-8. - * - * @ingroup sanitization - * - * @deprecated Will be removed before Drupal 8.0.0. Rely on Twig's - * auto-escaping feature, or use the @link theme_render #plain_text @endlink - * key when constructing a render array that contains plain text in order to - * use the renderer's auto-escaping feature. If neither of these are - * possible, \Drupal\Component\Utility\Html::escape() can be used in places - * where explicit escaping is needed. - * - * @see drupal_validate_utf8() - */ - public static function checkPlain($text) { - $string = Html::escape($text); - static::$safeStrings[$string]['html'] = TRUE; - return $string; - } - - /** * Formats a string for HTML display by replacing variable placeholders. * * This method replaces variable placeholders in a string with the requested @@ -213,7 +190,7 @@ public static function checkPlain($text) { * - Non-HTML usage, such as a plain-text email. * - Non-direct HTML output, such as a plain-text variable that will be * printed as an HTML attribute value and therefore formatted with - * self::checkPlain() as part of that. + * \Drupal\Component\Utility\Html::escape() as part of that. * - Some other special reason for suppressing sanitization. * * @return string diff --git a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php index 23eccf2..6bfef9b 100644 --- a/core/modules/views/src/Plugin/views/field/FieldPluginBase.php +++ b/core/modules/views/src/Plugin/views/field/FieldPluginBase.php @@ -1565,7 +1565,7 @@ public function getRenderTokens($item) { // Use strip tags as there should never be HTML in the path. // However, we need to preserve special characters like " that - // were removed by SafeMarkup::checkPlain(). + // were removed by \Drupal\Component\Utility\Html::escape(). $tokens["{{ raw_arguments.$arg }}"] = isset($this->view->args[$count]) ? strip_tags(Html::decodeEntities($this->view->args[$count])) : ''; $count++; } diff --git a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php index 12f2012..26c0f5b 100644 --- a/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php +++ b/core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php @@ -154,44 +154,6 @@ public function testInvalidSetMultiple() { } /** - * Tests SafeMarkup::checkPlain(). - * - * @dataProvider providerCheckPlain - * @covers ::checkPlain - * - * @param string $text - * The text to provide to SafeMarkup::checkPlain(). - * @param string $expected - * The expected output from the function. - * @param string $message - * The message to provide as output for the test. - * @param bool $ignorewarnings - * Whether or not to ignore PHP 5.3+ invalid multibyte sequence warnings. - */ - function testCheckPlain($text, $expected, $message, $ignorewarnings = FALSE) { - $result = $ignorewarnings ? @SafeMarkup::checkPlain($text) : SafeMarkup::checkPlain($text); - $this->assertEquals($expected, $result, $message); - } - - /** - * Data provider for testCheckPlain(). - * - * @see testCheckPlain() - */ - function providerCheckPlain() { - // Checks that invalid multi-byte sequences are escaped. - $tests[] = array("Foo\xC0barbaz", 'Foo�barbaz', 'SafeMarkup::checkPlain() escapes invalid sequence "Foo\xC0barbaz"', TRUE); - $tests[] = array("\xc2\"", '�"', 'SafeMarkup::checkPlain() escapes invalid sequence "\xc2\""', TRUE); - $tests[] = array("Fooÿñ", "Fooÿñ", 'SafeMarkup::checkPlain() does not escape valid sequence "Fooÿñ"'); - - // Checks that special characters are escaped. - $tests[] = array("